Keystone auhentication with database and LDAP [closed]

is it possible to enable LDAP and database authentication in Keystone? I manually installed openstack and used username/password for each service account.
In my environment we have employees who can authenticate via LDAP and we have trainees who get only a local user account. Can I transfer this to the openstack installation, so that employees can use their LDAP account and trainees get an local account in the SQL-database?
It would be nice if someone can give me the configuration if it is possible.

Closed for the following reason
the question is answered, right answer was accepted by
tk8
close date 2017-11-13 08:29:28.388213

1 answer

If you put trainees in a different domain than regular employees, yes. You can set up a different identity backend (SQL or LDAP) for each domain. See this guide: https://docs.openstack.org/keystone/l....

Even if users are in different domains, they can participate in the same project. For example, you could define all your projects in the regular-employee domain, and give trainees roles in those projects.

Comments

If I correctly understand the it, I have to use a default configuration file for the default domain with SQL? Then I create other domains with specific configuration files. That means one employee-domain and one trainee-domain. Is that right?

Not absolutely required, but a clean solution. You could put the trainees (for example) in the default domain, but once you start using domains, it's good practice to only keep the service users and the cloud admin in the default domain.

Thanks for your help. I've got two questions.
First: I created the domains folder in /etc/keystone and set rights to keystone user and group. Is that right?
Second: I created two domains and want to give trainees permission to a VM. I crated a role but I don't get it how to set the rights.